Securing Multi-Account Environments: How AWS Control Tower Transformed a Financial Group’s Security

Posted by taufik

September 29, 2024

A leading financial group began a digital transformation focused on cloud migration and restructuring IT operations. With one of its subsidiaries already operating on Amazon Web Services (AWS), the company decided to align all its subsidiaries with AWS for better performance and smoother operations. The key objective was to migrate their Oracle E-Business Suite (EBS) to AWS, utilizing AWS services to create a more efficient, secure, and easily manageable IT infrastructure. 

Challenge: Cloud Infrastructure

The financial group faced the challenge of enhancing operational efficiency across its subsidiaries by migrating applications to the cloud. This required a cloud transformation that would enable all its subsidiaries, which were already operating independently, to benefit from the efficiencies and innovations of cloud-based services.  The migration was not just a simple lift-and-shift. Instead, it involved rebuilding and provisioning new infrastructure in AWS. This approach ensured the subsidiaries’ Oracle EBS systems could seamlessly integrate into the parent organization’s AWS environment.  

Having already successfully migrated to AWS, the holding company recognized the potential operational benefits, such as enhanced performance, scalability, and innovation. This success led to the decision to expand AWS adoption to all their subsidiaries.  Since each subsidiary managed its own Oracle EBS account, it was important to standardize and govern these accounts to maintain consistency and control. To accomplish this, standard templates were created for each subsidiary to follow. These templates were managed through the AWS Service Catalog and AWS Control Tower to ensure consistency. 

Solution: AWS Cloud Services for Governance and Security

To address this challenge, AWS Control Tower was deployed to manage the organization’s multi-account environment. To ensure consistency, CDT uses a landing zone to create a solid and automated AWS environment for each subsidiary’s cloud adoption. 

Due to the handling of transactional data, it is crucial to ensure the security of applications. To address this, the organization implemented several key AWS security tools. The AWS Web Application Firewall (WAF) was deployed to guard against common web vulnerabilities and attacks, providing an essential layer of defense for the applications. Encryption at rest was utilized to protect sensitive data stored in the cloud, ensuring that data remains secure even when stored. 

AWS Certificate Manager (ACM) was also used to manage SSL certificates, facilitating secure communication between users and servers. For enhanced security monitoring and threat detection, AWS GuardDuty and CloudTrail were integrated. GuardDuty continuously monitors for malicious activity, while CloudTrail provides detailed logs of account activity, enabling better visibility and response to potential threats, even with internal-only application access. 

Operational and Business Benefits

The migration and restructuring resulted in significant operational improvements. By centralizing Oracle EBS on AWS, the business gained the ability to manage its systems remotely and efficiently, without the concerns tied to on-premises data center issues. 

For the organization, this was a new experience. With AWS Control Tower, managing multiple accounts and their governance became much simpler. In contrast to the on-premises approach, where each account had to be manually managed, Control Tower introduced automation, greatly reducing the complexity of account management and governance. 

The most notable benefits were operational. Issues could now be resolved remotely from anywhere, without worrying about the physical data center. Moreover, the business reported smoother day-to-day operations, which not only ensured continuity but also provided the flexibility needed to innovate and stay agile. 

The company plans to enhance security and protect sensitive data by adopting global compliance standards like PCI DSS and ISO PDP. To support this, they will implement AWS Security Hub, which will continuously monitor for potential risks and ensure compliance with best practices. By integrating AWS Security Hub, the company will streamline security management, gain centralized visibility into security metrics and proactively address vulnerabilities across its cloud infrastructure. 

Migration with CDT

Central Data Technology (CDT), as an AWS Advanced Partner in Indonesia, conducts Security Risk Assessments (SRA) to help organizations identify potential security vulnerabilities and recommend steps to enhance the security of their AWS environments. These regular assessments ensure that cloud infrastructure remains secure, scalable, and compliant, enabling businesses to continue innovating and operating efficiently. 

Through AWS Control Tower and Landing Zone, combined with SRA, organizations can easily standardize processes, automate governance, and reduce manual workloads. This is particularly vital in the financial sector, where strict security and regulatory compliance are essential. By implementing AWS security tools such as Web Application Firewall (WAF), encryption at rest, AWS Certificate Manager (ACM), GuardDuty and CloudTrail, businesses can strengthen their data protection while continuously monitoring for potential threats. 

Migrating to AWS with CDT’s support allows organizations to build a centralized infrastructure that simplifies multi-account management and ensures top-tier security and compliance. Additionally, AWS enhances operational efficiency, setting the foundation for future growth and innovation. 

Privacy & Policy

PT Central Data Technology (“CDT” or “us”) is strongly committed to ensuring that your privacy is protected as utmost importance to us. https://centraldatatech.com/ , we shall govern your use of this website, including all pages within this website (collectively referred to herein below as this “Website”), we want to contribute to providing a safe and secure environment for visitors.

The following are terms of privacy policy (“Privacy Policy”) between you (“you” or “your”) and CDT. By accessing the website, you acknowledge that you have read, understood and agree to be bound by this Privacy Policy

Use of The Subscription Service by CDT and Our Customers

When you request information from CDT and supply information that personally identifies you or allows us to contact you, you agree to disclose that information with us. CDT may disclose such information for marketing, promotional and activity only for the purpose of CDT and the Website.

Collecting Information

You are free to explore the Website without providing any personal information about yourself. When you visit the Website or register for the subscription service, we provide some navigational information for you to fill out your personal information to access some content we offered.

CDT may collect your personal data such as your name, email address, company name, phone number and other information about yourself or your business. We are collecting your data in some ways, online and offline. CDT collects your data online using features of social media, email marketing, website, and cookies technology. We may collect your data offline in events like conference, gathering, workshop, etc. However, we will not use or disclose those informations with third party or send unsolicited email to any of the addresses we collect, without your express permission. We ensure that your personal identities will only be used in accordance with this Privacy Policy.

How CDT Use the Collected Information

CDT use the information that is collected only in compliance with this privacy policy. Customers who subscribe to our subscription services are obligated through our agreements with them to comply with this Privacy Policy.

In addition to the uses of your information, we may use your personal information to:

  • Improve your browsing experience by personalizing the websites and to improve the subscription services.
  • Send information about CDT.
  • Promote our services to you and share promotional and informational content with you in accordance with your communication preferences.
  • Send information to you regarding changes to our customers’ terms of service, Privacy Policy (including the cookie policy), or other legal agreements

Cookies Technology

Cookies are small pieces of data that the site transfers to the user’s computer hard drive when the user visits the website. Cookies can record your preferences when visiting a particular site and give the advantage of identifying the interest of our visitor for statistical analysis of our site. This information can enable us to improve the content, modifying and making our site more user friendly.

Cookies were used for some reasons such as technical reasons for our website to operate. Cookies also enable us to track and target the interest of our users to enhance the experience of our website and subscription service. This data is used to deliver customized content and promotions within the Helios to customers who have an interest on particular subjects.

You have the right to decide whether to accept or refuse cookies. You can edit your cookies preferences on browser setup. If you choose to refuse the cookies, you may still use our website though your access to some functionality and areas of our website may be restricted.

This Website may also display advertisements from third parties containing links to other websites of interest. Once you have used these links to leave our site, please note that we do not have any control over the website. CDT cannot be responsible for the protection and privacy of any information that you provide while visiting such websites and this Privacy Policy does not govern such websites.

Control Your Personal Data

CDT give control to you to manage your personal data. You can request access, correction, updates or deletion of your personal information. You may unsubscribe from our marketing activity by clicking unsubscribe us from the bottom of our email or contacting us directly to remove you from our subscription list.

We will keep your personal information accurate, and we allow you to correct or change your personal identifiable information through marketing@centraldatatech.com